What's in this template?
This free Data Breach Response Plan template gives Australian healthcare practices the operational playbook they need to comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988. It is built directly from the structure of the OAIC's NDB scheme guidance and the OAIC Data Breach Response Plan checklist, then tailored for medical and allied health settings.
The template covers 11 sections plus a sign-off block:
- Purpose and authority — links the plan to Part IIIC of the Privacy Act
- What is an eligible data breach? — the three-part test, with healthcare-specific examples
- Roles and the response team — Privacy Officer (lead), practice owner, IT, communications, legal
- Response checklist (one page) — Contain, Assess, Notify, Review
- Notifying the OAIC — section 26WK statement content
- Notifying affected individuals — three options under section 26WL
- Exceptions and special situations — multi-party, enforcement, My Health Record
- Record keeping — 7-year breach register
- Contact directory — OAIC, IDCARE, ACSC, System Operator, insurer, lawyer
- Related documents — full document set
- Approval and review — formal sign-off table
Editable placeholder fields
{{practice_name}},{{abn}}{{privacy_officer}},{{privacy_officer_phone}},{{privacy_officer_email}}— response lead{{practice_manager}},{{practice_owner}},{{it_support_contact}}{{cyber_insurance_contact}},{{legal_advisor}}{{review_date}},{{next_review_date}}
Who needs a Data Breach Response Plan?
Every Australian APP entity must take reasonable steps to comply with the Notifiable Data Breaches scheme, and the OAIC's official guidance makes a documented response plan the standard way to do that. Healthcare practices are explicitly in scope because they hold health information regardless of turnover.
That includes:
- General practices of any size, including solo GPs
- Specialist medical practices
- Allied health practices (physiotherapy, podiatry, psychology, optometry, dental, etc.)
- NDIS providers holding participant information
- Pharmacies, pathology and diagnostic imaging providers
- Aboriginal Community Controlled Health Organisations
- Private hospitals, day surgeries and aged care providers
If there is a chance your practice could lose a USB drive, send a referral to the wrong specialist, or be hit by ransomware, you need this plan ready before it happens — not after.
NDB scheme at a glance
The Notifiable Data Breaches scheme requires APP entities to notify the OAIC and affected individuals of an eligible data breach — a breach where:
- Personal information is subject to unauthorised access, disclosure or loss
- The breach is likely to result in serious harm to one or more individuals
- The entity has not been able to prevent the likely risk of serious harm by remedial action
For healthcare data, the OAIC accepts that the threshold for serious harm is generally lower than for ordinary contact data. Notification to the OAIC must occur as soon as practicable after the entity is aware of the eligible breach. Where it is not yet clear whether the test is met, the entity has up to 30 days to carry out a reasonable and expeditious assessment (section 26WH).
Privacy Act requirement
Part IIIC of the Privacy Act 1988 makes notification a legal obligation, not a discretionary one. Failure to comply can result in:
- An OAIC determination requiring corrective action
- Civil penalties up to $50 million for serious or repeated interferences with privacy (post 2022 amendments)
- Public OAIC enforcement action and reputational damage
- Loss of accreditation status
Healthcare data breaches are over-represented in OAIC notification statistics — the Health sector has consistently been the top-notifying sector since the scheme began. Having a documented response plan is the OAIC's expected baseline.
How to customise this template
- Download the Word document and replace every
{{placeholder}}with your details - Nominate the Privacy Officer as response lead and the practice owner as escalation point
- Print section 4 (the response checklist) as a one-page laminate — this is what the response team grabs in the first hour
- Confirm the contact directory in section 9 — your cyber insurance broker, lawyer, MSP and (if registered) My Health Record contact
- Run a tabletop exercise at least annually — simulate a misdirected email or ransomware scenario so the team is not seeing the plan for the first time during a real incident
- File the plan with the Privacy Management Plan and the patient-facing Privacy Policy
- Review at least annually and after every notifiable breach
Related templates and tools
The response plan is the operational counterpart to the Privacy Management Plan. Pair it with the rest of the Privacy Act library:
- Privacy Management Plan — APP 1.2 governance plan
- Patient Data Collection Notice — APP 5 collection notice
- Data Retention and Destruction Policy — APP 11 retention schedules
- Patient Access and Correction Procedure — APP 12 and APP 13 requests
- Third-Party Data Sharing Agreement — vendor breach notification clauses
Use our free Notifiable Data Breach Wizard tool to draft the section 26WK statement to the OAIC interactively.
Frequently asked questions
Is a Data Breach Response Plan mandatory under the Privacy Act?
The Privacy Act does not in terms require a written response plan, but the OAIC's NDB scheme guidance and Privacy Management Framework treat a documented plan as the standard way of taking reasonable steps to comply with Part IIIC. In practice, the OAIC will ask to see the plan when it investigates a breach, and accreditors expect to see one as part of evidence for APP 1.2.
What is an "eligible data breach" under the NDB scheme?
An eligible data breach is one where (i) there is unauthorised access, unauthorised disclosure or loss of personal information; (ii) the access, disclosure or loss is likely to result in serious harm to one or more individuals; and (iii) the entity has not been able to prevent the likely risk of serious harm by remedial action. All three limbs must be satisfied.
How long do we have to notify the OAIC?
The Privacy Act requires notification "as soon as practicable" after the entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred. Where there are reasonable grounds to suspect (but not yet to believe), the entity has up to 30 days to complete an assessment. Many breaches need to be notified within days, not weeks.
What counts as "serious harm" for health information?
Serious harm includes physical, psychological, emotional, financial and reputational harm. Health information is recognised by the OAIC as particularly sensitive — the unauthorised disclosure of a single patient's mental health, sexual health, drug and alcohol or family violence history can be enough to meet the threshold even where only one individual is affected.
Do we need to notify if we recover the information quickly?
If remedial action prevents the likely risk of serious harm, the breach is not an eligible data breach and notification is not required. The OAIC expects the practice to document the assessment and the remediation. Recovery of a misdirected email by recall is the classic example.
Are reception staff allowed to handle a breach?
Reception staff are usually the first to detect a breach (a misdirected SMS, a complaint from a patient who received someone else's results). Their role is to escalate immediately to the Privacy Officer, contain to the extent they reasonably can, and preserve evidence. The substantive response is owned by the Privacy Officer and the response team.
Does this plan cover My Health Record breaches?
Yes — section 7 covers the additional notification to the System Operator (Australian Digital Health Agency) under the My Health Records Act 2012. For practices registered to the My Health Record system, this plan complements the Rule 42 Security and Access Policy, which requires breach handling provisions specific to MHR.